hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,920 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.2
Commit Graph

4906 Commits

Author SHA1 Message Date
Tom Hvitved
c83a29c27f Ruby: Fix a bad join 
Before
```
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::ErbLocalsAccessSummary#fff@22c05bb6 with tuple counts:
          212957   ~2195%    {1} r1 = JOIN _Constant#54e8b051::ConstantValue::getStringlikeValue#0#dispred#ff_Expr#6fb2af19::Expr::getConstantV__#shared WITH Expr#6fb2af19::Pair::getKey#0#dispred#ff_1#join_rhs ON FIRST 1 OUTPUT Lhs.1
        43862468   ~6045%    {2} r2 = JOIN r1 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0
        43862468   ~6581%    {2} r3 = JOIN r2 WITH AST#a6718388::AstNode::getLocation#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        43844886  ~40661%    {2} r4 = JOIN r3 WITH locations_default ON FIRST 1 OUTPUT Rhs.1, Lhs.1
           15004   ~8295%    {3} r5 = JOIN r4 WITH project#Sinatra#e09174a3::Sinatra::ErbLocalsHashSyntheticGlobal#ffff_201#join_rhs ON FIRST 1 OUTPUT Rhs.2, Lhs.1, Rhs.1
           15004   ~8890%    {3} r6 = SCAN r5 OUTPUT ("sinatra_erb_locals_access()" ++ In.0 ++ "#" ++ In.1), In.2, In.1
                             return r6
```

After
```
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::ErbLocalsAccessSummary#fff@f6249cga with tuple counts:
         10237       ~0%    {3} r1 = JOIN locations_default_10#join_rhs WITH project#Sinatra#e09174a3::Sinatra::ErbLocalsHashSyntheticGlobal#ffff_201#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Rhs.2
          4015       ~5%    {3} r2 = JOIN r1 WITH AST#a6718388::AstNode::getLocation#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           825      ~96%    {3} r3 = JOIN r2 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           940       ~0%    {4} r4 = JOIN r3 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.0
        325402       ~0%    {4} r5 = JOIN r4 WITH Expr#6fb2af19::Expr::getConstantValue#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3
        231819  ~133147%    {3} r6 = JOIN r5 WITH Expr#6fb2af19::Pair::getKey#0#dispred#ff_1#join_rhs ON FIRST 1 OUTPUT Lhs.2, Lhs.3, Lhs.1
        231819  ~138805%    {3} r7 = SCAN r6 OUTPUT ("sinatra_erb_locals_access()" ++ In.0 ++ "#" ++ In.1), In.2, In.1
                            return r7
```
 2023-09-14 21:34:17 +02:00
Harry Maclean
5706bc6205 Ruby: Model GraphQL InputObject arguments 2023-09-14 19:02:39 +01:00
Tom Hvitved
c0e600c515 Merge pull request #12672 from hvitved/ruby/implicit-array-reads-at-sinks 
Ruby: Allow for implicit array reads at all sinks during taint tracking
 2023-09-14 15:39:37 +02:00
Tom Hvitved
61bfc4ec09 Merge pull request #14204 from hvitved/ruby/simplify-viable-callable 
Ruby: Simplify `viableSourceCallableNonInit`
 2023-09-14 15:36:47 +02:00
Harry Maclean
5411123b8a Ruby: Fix GraphQL test 2023-09-14 14:14:26 +01:00
Erik Krogh Kristensen
7e7852eff6 Merge pull request #13641 from erik-krogh/multi-char 
JS/RB: write qhelp for `incomplete-multi-character-sanitization`
 2023-09-14 14:48:30 +02:00
Harry Maclean
57ae1ee3e9 Ruby: Add test for GraphQL remote flow sources 2023-09-14 13:46:52 +01:00
Harry Maclean
1526fff085 Ruby: Add missing doc comments 2023-09-14 13:46:37 +01:00
Harry Maclean
20f1a74202 Ruby: Restrict GraphQL remote flow sources 
Previously we considered any splat parameter in a graphql resolver to be
a remote flow source. Now we limit that to reads of the parameter which
yield scalar types (e.g. String), as defined by the GraphQL schema.

This should reduce GraphQL false positives.
 2023-09-14 12:14:56 +01:00
Harry Maclean
4168245fc0 Ruby: Fix doc comments 2023-09-14 10:02:27 +01:00
Harry Maclean
29a8a82e92 Ruby: add more docs for splat flow 2023-09-14 09:26:42 +01:00
Tom Hvitved
97ed5b8afb Ruby: Improvments to splat flow 
- Only step through a `SynthSplatParameterElementNode` when there is a splat parameter
  at index > 0.
- Model read+stores via `SynthSplatArgumentElementNode` as a single read-store
  step in type tracking.
 2023-09-14 09:26:42 +01:00
Harry Maclean
bf51cbad88 Ruby: Update test fixture 2023-09-14 09:26:38 +01:00
Tom Hvitved
e11a4b63e9 Ruby: Remove SynthSplatArgParameterNode 2023-09-14 09:26:38 +01:00
Harry Maclean
5a6a52b767 Ruby: Use fewer SynthSplatArgumentElementNodes 
In cases such as

    def f(x, *y); end

    f(*[1, 2])

we don't need any `SynthSplatArgumentElementNodes`. We get flow from the
splat argument to a `SynthSplatParameterNode` via `parameterMatch`, then
from element 0 of the synth splat to the positional param `x` via a
read step.

We add a read step from element 1 to `SynthSplatParameterElementNode(1)`.
From there we get flow to element 0 of `*y` via an existing store step.
 2023-09-14 09:26:38 +01:00
Harry Maclean
4c1beea465 Ruby: Address review comments 2023-09-14 09:26:33 +01:00
Harry Maclean
3c8683428b Ruby: Model more splat flow (alternative approach) 2023-09-14 08:55:59 +01:00
Harry Maclean
9ccd8cd248 Ruby: Update documentation 2023-09-14 08:54:49 +01:00
Harry Maclean
ef63ea8399 Ruby: Update fixture 2023-09-14 08:54:48 +01:00
Harry Maclean
7ebd51163e Ruby: Handle more splat arg flow 
Allow flow from a splat argument to a positional parameter in cases
where there are positional arguments left of the splat. For example:

    def foo(x, y, z); end

    foo(1, *[2, 3])
 2023-09-14 08:54:48 +01:00
Tom Hvitved
e258324960 Ruby: Allow for implicit array reads at all sinks during taint tracking 2023-09-14 09:40:05 +02:00
Anders Schack-Mulligen
f5a4b792bd C++/Go/Python/Ruby/Swift: Add dummy localMustFlowStep. 2023-09-13 15:43:46 +02:00
Alex Ford
79c305c1a1 Merge pull request #14124 from alexrford/rb/dataflow-query-refactor 
Ruby: Use the new dataflow API for checked in queries
 2023-09-13 14:24:47 +01:00
Tom Hvitved
f15cbb9316 Ruby: Simplify viableSourceCallableNonInit 2023-09-13 14:25:28 +02:00
Tom Hvitved
f3a78efe03 Ruby: Fix semantic merge conflict 2023-09-13 14:04:20 +02:00
Alex Ford
b5ec99cb2f Ruby: fix missing qldoc 2023-09-13 12:28:19 +01:00
Tom Hvitved
7400b4741e Merge pull request #14108 from hvitved/dataflow/more-consistency-checks 
Data flow: Add `ArgumentNode` consistency checks
 2023-09-13 11:30:51 +02:00
Tom Hvitved
88d2e2590f Ruby: Rename LambdaSelfParameterNode to LambdaSelfReferenceNode 2023-09-13 08:52:22 +02:00
Tom Hvitved
b470c36c82 Ruby: Implement multipleArgumentCallExclude 2023-09-12 20:05:11 +02:00
Tom Hvitved
c13a8e41ad Data flow: Add more consistency checks 2023-09-12 20:05:05 +02:00
github-actions[bot]
d699880c86 Post-release preparation for codeql-cli-2.14.4 2023-09-08 21:17:52 +00:00
amammad
d44c9d3e74 stash 2023-09-08 05:51:21 +10:00
Alex Ford
5b013dd5d2 Merge branch 'main' into rb/dataflow-query-refactor 2023-09-07 14:57:38 +01:00
Alex Ford
947fa0de62 Ruby: fix qldoc warnings 2023-09-07 14:57:04 +01:00
Alex Ford
4a01de13ef Ruby: avoid toString in query warning 2023-09-07 14:54:50 +01:00
Alex Ford
0aee7f6ac6 Ruby: qlformat 2023-09-07 14:47:02 +01:00
Alex Ford
13300a2e2f Ruby: un-private PathGraph imports 2023-09-07 14:24:46 +01:00
Alex Ford
a893911dba Ruby: Use a newtype instead of DataFlow::FlowState for insecure-download 2023-09-07 14:22:18 +01:00
Alex Ford
75fdde543f Ruby: Use a newtype instead of DataFlow::FlowState for hardcoded-data 2023-09-07 14:13:26 +01:00
Alex Ford
0d7d5a35c9 Ruby: Use a newtype instead of DataFlow::FlowState for code-injection 2023-09-07 13:39:10 +01:00
Alex Ford
dfc3b33910 Ruby: Use a newtype instead of DataFlow::FlowState for unicode-bypass-validation 2023-09-07 12:09:47 +01:00
amammad
4191b07b1f Merge branch 'github:main' into amammad-ruby-bombs 2023-09-06 20:17:49 +10:00
Tom Hvitved
a06a9ffa29 Address review comments 2023-09-06 11:01:54 +02:00
Tom Hvitved
6de315d086 Add change note 2023-09-06 11:01:54 +02:00
Tom Hvitved
48e2dcfa35 Ruby: Reimplement flow through captured variables using field flow 2023-09-06 11:00:55 +02:00
Tom Hvitved
5d1c399371 Ruby: Add more data-flow tests for captured variables 2023-09-06 10:34:34 +02:00
github-actions[bot]
abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
Tom Hvitved
a2912cd72b Ruby: Use proper PathGraph module in inline flow tests 
Gets rid of
```
PathNode is incompatible with PathNode (the type of the edge relation).
```
warnings.
 2023-09-04 20:27:34 +02:00
Tom Hvitved
4a1163b38c Merge pull request #14109 from hvitved/ruby/hide-desugared-assignments-in-dataflow 2023-09-04 19:59:33 +02:00
Alex Ford
11e5565344 Merge branch 'main' into add-cwe-208 2023-09-04 12:45:49 +01:00